Security Now 257

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 257


Security Now 257: Your Questions, Steve's Answers #96

News & Errata

4:15 - 6:40

  • Microsoft fixed 4 remote code execution vulnerabilities this Tuesday
  • Help Center Vulnerability is fixed
  • Vista/Win7 Aero theoretical vulnerability is fixed
  • Office ActiveX vulnerability fixed
  • Office Outlook vulnerability fixed

6:41 - 7:36

  • Google Chrome has been updated to v5.0.375.99
  • Fixes four memory corruption-related bugs related to Chrome's handling of SVG and PNG images and CSS style sheets

7:37 - 11:13

  • Theres a new DNS service from Alex Eckelberry (Sunbelt Software) called ClearCloud DNS
  • It helps protect users from visiting bad sites by not returning IP's for known bad sites
  • The IP address of their DNS server is 74.118.212.1
  • ClearCloud DNS

11:14 - 12:56

  • Facebook is now in trouble with the German government over data privacy laws
  • From SANS Newsletter: "Facebook routinely asks people who are already members to upload contact lists from their mobile phones and email accounts so Facebook can invite those people to join. Facebook retains the contact information, whether or not the people choose to join, even though the people have not given Facebook permission to store that information."
  • Hamburg Data Protection Authority head Johannes Caspar has received several complaints from individuals whose information has been shared with third parties.

12:57 - 18:42

  • Microsoft has decided to share their source code with the Russian Intelligence Agency (FSB)
  • Russia will use it to develop cryptography for Microsoft products

18:43 - 19:45

  • LastPass is adding a new feature because of last week's podcast
  • After a user's grid has been used a certain amount they will get a email advising them to destroy it and generate a new one

19:46 - 21:19

  • Security Now listeners can get 30% off the purchase of 1-5 Yubi Keys
  • Yubico
  • Coupon Code: securitynow
  • Expires August 31st 2010

21:20 - 25:46

  • Windows XP SP2 is no longer supported by Microsoft
  • Microsoft says 4% of workplace PCs are still running WinXP on 4.4 year old hardware and report no plans to upgrade

Spinrite Story

25:47 - 28:19 Eric Girlock (Unknown)

Spinrite fixed a hard drive so well that Dell wouldn't replace it as they did not believe that the hard drive had died in the first place

Questions & Answers

32:54 - 01:22:50

Comment: [ 01 ]

32:54 - 37:40 Dan Ducasse (Atascadero, Calif)
Listener Comment: The listener knew Steve personally when he was younger:

"You were in Boy Scout Troop 12 with my brothers Paul and Marc, and had come over ti our house for some reason and brought with you a cigar box with two brass door knobs mounted on the lid. Back then you were known for your inventions, and you and my brothers approached me to test out your latest gadget, "The Smile Machine". It looked harmless enough, a couple of door knobs, and a switch on the outside; a little battery, some wires, and other junk on the inside. You or my brothers instructed me "Just hold the door knobs and when the switch is pushed it will make you smile". Sure enough, when the button was pushed I was grinning from ear to ear. I was also locked onto the door knobs until the power was turned off. It was a great gag.

Listening to the story of the sonic gun, the memories started coming back. I remember my brothers coming home from school telling stories of seagulls falling out of the sky and the Archibald incident. You were educating and entertaining us back then and you are still educating us and entertaining us today.

Thanks for the memories, and thanks for all of your current work. "

Steve's Comment: Steve remembers this and got a kick out of remembering the story

Question: [ 02 ]

37:41 - 46:26 Mary (Sparks, Nevada)
Question: how it is possible to know whether or not their Javascript based encryption algorithm has been properly validated. Could it be possible that they could end up in a "WEP" situation?

Also, is it possible to know whether they might be preforming two separate encryptions of user data? They might encrypt once with a key based on the user's master password, and separately a second time with their own closely guarded master password which only the developers at LastPass know.....then after a short time of collecting millions of user's sensitive data, they could be doing all kinds of havoc unbeknownst to their trusting users.

It sure would be nice if they had some kind of independent code review.

I'm also concerned that they send the user's encrypted data over HTTPS to their servers. If their local encryption is done well, then it should be OK for them to send the already encrypted data in the clear, so a user could examine the outgoing data packets to make sure the data local encryption was actually performed.

How is it possible to confirm the TNO model, if we are left to trust they are performing the local encryption properly?

Answer: Visit this page

They use the authentication part of HTTPS to prevent a man in the middle attack

You can use "HTTPS Analyser" to intercept your own SSL communication and look at what is being encrypted by LastPass or you can also use "Fiddler 2"

Comment: [ 03 ]

46:27 - 55:41 Anon (Boston, MA)
Listener Comment: If I leave my email account open, or someone knows my email password, then anyone with access to a PC where I have installed and used LastPass can break into my LastPass account.

By default, this Preference => Advanced option is selected: "Save a disabled One Time Password locally for Account Recovery".

At login, if an intruder selects "I forgot my password, Help!" he is taken to the Account Recovery Page "to activate your local one time password and recover your account." (see below).

The intruder enters my email address and then receives a message sent to my email account and he gets the option to set a new LastPass Master Password for my account.

This is a weakness that could be resolved by changing the Account Recovery default to deselected (as I have now done manually).

This option is presumably set to assist all those people who forget their LastPass Master Password, but it is a real vulnerability which should be addressed

Steve's Comment: He is correct, this feature exists as if a user loses their password it's over, you can never decrypt your password again. For maximum security you should disable this option but understand that you risk losing all your passwords if you forget your master password. This is also a PER MACHINE option so you need to disable it on every machine you use.

Question: [ 04 ]

55:42 - 58:48 René van Belzen (Netherlands)
Question: Does LastPass filter out dictionary words and can you check the strength of a password independent of LastPass ?

Answer: If you use a 10 character password the chances of a dictionary word being produced from 10 randomly selected characters is:

1 in (7.9 x 10^17 / # of 10 character words in dictionary)

However you can force the password generator to insert X amount of numbers into your password

They can't filter out dictionary words easily as they never see the plain text password

Question: [ 05 ]

58:49 - 01:04:39 Ronald Stepp (Enterprise, Alabama)
Question: If you use LastPass for your iTunes password then how can you give iTunes your password on a iPad / iPhone / iPod

Answer: There is no easy solution Steve can see

Comment: [ 06 ]

01:04:40 - 01:08:35 Ken Varga (Stevens Point, WI)
Listener Comment: During the show, you recommended having LastPass generate 10-character passwords consisting of uppercase, lowercase, and numbers for website logins, since this provides 59.5 bits of randomness to your passwords.

You also noted that by having LastPass not include symbols or other special characters makes your passwords easier to manually type-in should the need arise. In that vein, I have a suggestion to further simplify the situation, and is what I did:

In the LastPass password generation screen, I tell it to give me a 12-character password using only numbers and lowercase letters. I also check the "Avoid Ambiguous Characters" box. While I couldn't find documentation on that option, I have experimentally determined that it excludes the numbers "0" and "1" as well as the letters "i" "l" and "o". Omitting these characters helps makes it harder to misread the password, since it is easy to confuse (for example) the number "1" with a lowercase letter "l".

his gives 31 unique characters for LastPass to work with, and if my math is correct a 12 character password should provide 59.4 random bits, pretty much the same as your 59.5 bit password, and I find it much easier (less error-prone) to transcribe, if needed, than one using uppercase and lowercase characters. Any thoughts on this? It seems to me that 12 characters is still quite compact, and most websites, even if storing passwords in plaintext (*shudder*) seem to allow it.

As an aside, 13 lowercase characters provides 61.1 bits of randomness, and may be even easier to type, but has the problem of not being allowed on some sites for understandable reasons (e.g., banking sites).

Steve's Comment: His maths is correct and Steve wants to suggest this to listeners

Comment: [ 07 ]

01:08:36 - 01:1:15:08 Chris Morton (Gurnee, Illinois)
Listener Comment: You should tell listeners that they still need to change their passwords regularly.

Steve's Comment: This would only be a good idea if you are using the same password on many sites and a site had its username and password database compromised. Or a site's database was compromised but the data gathered is not used immediately. Basically, yes, this would make you more secure, but Steve isn't worried about doing this.

Question: [ 08 ]

01:15:09 - 01:22:50 Trevor Harrison (Langley B.C)
Question: Why do you recommend 10 character passwords for websites but 63 character passwords for WPA keys ?

Answer: The more characters in a password the better. 10 characters is a lot, 63 is ridiculously high. The problem you may be in a situation where you need to enter a password manually and entering a 63 character password manually is nearly impossible. With WIFI you just enter the password once and never have to worry about it again this is different to websites where you enter the password more frequently. Also unfortunatly many websites will not accept a 63 character password. Furthermore you can run a bruteforce attack against WIFI keys but many websites will not allow you a unlimited number of login attempts.

Sponsors

Carbonite Pro

Production Information

  • Edited by: djc
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.